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Abstract 

Our  timed  Z-channel  (a  general  case  of  the  Z- 
channel)  appears  as  the  basis  for  a  large  class  of  covert 
channels.  Golomb  analyzed  the  Z-channel,  a  memo¬ 
ryless  channel  with  two  input  symbols  and  two  output 
symbols,  where  one  of  the  input  symbols  is  transmitted 
with  noise  while  the  other  is  transmitted  without  noise, 
and  the  output  symbol  transmission  times  are  egual. 
We  introduce  the  timed  Z-channel,  where  the  output 
symbol  transmission  times  are  different.  Specifically, 
we  show  how  the  timed  Z-channel  applies  to  two  exam¬ 
ples  of  covert  timing  channel  scenarios:  a  CPU  sched¬ 
uler,  and  a  token  ring  network.  We  then  give  a  detailed 
analysis  of  our  timed  Z-channel.  We  report  a  new  re¬ 
sult  expressing  the  capacity  of  the  timed  Z-channel  as 
the  log  of  the  root  of  a  trinomial  eguation.  This  changes 
the  capacity  calculation  from  an  optimization  problem 
into  a  simpler  algebraic  problem  and  illustrates  the  re¬ 
lationship  between  the  noise  and  time  factors.  Further, 
it  generalizes  Shannon’s  work  on  noiseless  channels  for 
this  special  case.  We  also  report  a  new  result  bound¬ 
ing  the  timed  Z-channel’s  capacity  from  below.  Finally, 
we  show  how  an  interesting  observation  that  Golomb 
reported  for  the  Z-channel  also  holds  for  the  timed  Z- 
channel. 


1.  Introduction 

Covert  timing  channels  arise  from  resource  sharing 
in  MLS  systems.  High  can  pass  information  to  Low, 
by  either  interfering  with,  or  refraining  from  interfer¬ 
ing  with,  the  timing  of  Low’s  activities.  In  most  of 
these  systems  this  interference  is  noisy.  The  simplest 
model  for  such  interference,  where  the  output  alphabet 
consists  of  time  values,  is  what  we  call  the  timed  Z- 
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channel.  Knowledge  of  the  characteristics  of  the  timed 
Z-channel  should  allow  the  system  designer  to  engineer 
countermeasures  to  this  danger. 

We  discuss  in  detail  two  scenarios  where  the  timed 
Z-channel  may  occur  as  a  serious  threat.  Our  first 
scenario  is  a  generalization  of  the  well-known  CPU 
scheduling  channel  [17,  25],  as  discussed  in  a  mathe¬ 
matical  sense  by  Huskamp  [9,  section  4].  It  is  very  im¬ 
portant  to  understand  noisy  versions  of  this  scenario 
because  many  researchers  are  currently  investigating 
countermeasures  to  this  scenario  and  its  variants  (e.g., 
[8,  7,  30,  10]).  Note  that  McCullough’s  [20]  “half-bit 
channels”  may  be  analyzed  as  timed  Z-channels. 

Our  second  scenario  is  quite  different,  dealing  with 
a  theoretical  MLS  computer  network  organized  as  a 
token  ring  topology.  We  show  how  a  timed  Z-channel 
can  be  exploited  as  a  covert  channel  in  a  specific  con¬ 
figuration  of  this  network.  Considering  the  current 
popularity  of  ring  topologies  for  networks  (e.g.,  FDDI, 
FDDI-II,  etc.),  we  feel  that  understanding  the  behav¬ 
ior  of  any  potential  threat  to  MLS  implementations  of 
this  type  of  network  is  desirable.  We  demonstrate  that 
a  covert  timed  Z-channel  threat  exists  under  certain 
circumstances.  Given  the  existence  of  such  a  threat, 
we  feel  that  the  designers  of  MLS  token  ring  networks 
should  be  aware  of  the  issues  and  mathematical  tools 
needed  to  recognize  this  network  threat. 

Some  of  the  important  questions  being  investigated 
that  relate  to  this  paper  follow. 

•  Is  capacity  large  enough  to  be  of  concern? 

•  Can  understanding  the  mathematical  interplay  be¬ 
tween  the  noise  and  time  variables  in  this  covert 
channel  be  used  to  lessen  capacity? 

•  How  would  the  intentional  introduction  of  noise 
affect  both  capacity  and  system  performance? 

Because  of  the  above,  we  feel  that  an  analysis  of  the 
capacity  of  the  timed  Z-channel  is  of  great  importance. 
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The  known  capacity  results  on  the  Z-channel  do  not 
extend  to  the  timed  Z-channel.  Theorem  1  and  Corol¬ 
lary  1  (the  main  mathematical  results  of  this  paper) 
show  how  capacity  can  be  easily  expressed  as  the  log 
of  a  zero  of  a  trinomial.  This  lets  us  transform  a  com¬ 
plicated  optimization  problem  into  an  algebraic  prob¬ 
lem.  In  turn,  this  gives  us  a  simple  method  for  cal¬ 
culating  capacity  and  seeing  the  interplay  between  the 
noise  and  timing  factors.  Knowledge  of  the  interplay 
between  these  various  terms  can  lead  us  to  abetter  un¬ 
derstanding  of  how  to  lessen  capacity  without  degrad¬ 
ing  performance.  This  has  been  seen  in  papers  such  as 
[3,  4],  where  noise  is  introduced  in  the  system  to  lessen 
capacity.  The  best  defense  to  covert  channel  threats  is 
a  thorough  understanding  and  analysis  of  covert  chan¬ 
nel  behavior.  Knowledge  of  similar  system  behavior 
was  of  great  significance  during  the  design  and  imple¬ 
mentation  of  the  NRL  Pump  [12,  13,  14,  23]. 

We  now  present  our  two  scenarios  in  detail,  give 
some  background  on  the  Z-channel,  and  then  give  a  de¬ 
tailed  exposition  and  analysis  of  our  timed  Z-channel. 

2.  Covert  Channel  Scenarios 

There  are  two  scenarios  presented  here.  The  first 
is  very  well-known  in  the  field  of  covert  channel  anal¬ 
ysis.  The  second  is  a  previously  undiscovered  covert 
timing  channel  existing  in  an  interesting  three  level  en¬ 
vironment  (to  date,  most  discussions  of  covert  channel 
attacks  deal  with  only  two  levels), 

2.1.  Scenario  1  —  The  CPU  scheduler  type  channel 

The  following  type  of  configuration  is  common  in 
computer  systems.  Assume  that  there  are  two  levels 
LI  and  L2,  where  L2  >  LI. 


that  studies  of  this  type  of  covert  channel  have  been 
useful  in  other  areas,  such  as  the  analysis  of  the  gener¬ 
alized  version  of  the  NRL  Pump  [15].  For  simplicity,  let 
us  assume  that  each  job  takes  time  6.  Assume  that  an 
LI  process  (e.g.,  BL1)  submits  jobs  and  observes  the 
time  to  complete  each  job.  If  an  L2  process  (e.g.,  BL2) 
does  not  submit  any  job,  each  job  in  Q1  takes  time  6 
to  complete.  If  BL2  submits  a  job,  BL1  observes  time 
26  to  complete  one  of  its  jobs  (i.e. ,  time  6  for  the  BL2 
job  and  an  additional  time  6  for  the  BL1  job).  There¬ 
fore,  we  have  the  noiseless  timing  channel  illustrated  in 
figure  2. 


(BL2  submits  no  job) 


(BL2  submits  a  job) 

Figure  2.  A  Noiseless  Timing  Channel 

The  capacity,  in  bits  per  time  unit,  of  this  noiseless 
channel  is  known  to  be  6  1  log  1+t/^ ,  [26,  21].  BL2  may 
decide  to  communicate  with  BL1  even  in  the  presence 
of  noise.  The  noise  can  be  introduced  by  another  L2 
process  (e.g.,  GL2)  that  does  not  have  any  intention  of 
communicating  with  BL1.  If  GL2  submits  a  job  and 
BL2  does  not  submit  a  job  (i.e.,  BL2  attempts  to  send 
a  binary  0),  BL1  still  observes  time  26  which  will  be 
interpreted  as  a  binary  1  from  BL2.  Therefore,  we  have 
a  covert  timed  Z-channel  where  p  +  q  =  1  as  illustrated 
in  figure  3.  This  type  of  channel,  where  capacity  (bits 
per  time  unit)  is  not  known,  is  the  focus  of  this  paper. 


(BL2  submits  a  job) 

There  are  two  queues  (i.e.,  Q2  and  Ql),  where  L2  Figure  3.  A  Timed  Z-channel 

processes  put  their  jobs/messages  into  Q2  and  LI  pro¬ 
cesses  put  their  jobs/messages  into  Ql.  A  server,  which 
is  a  shared  resource,  provides  service  in  a  round-robin 

fashion.  A  server  may  be  a  CPU  which  processes  jobs  2.2.  Scenario  2  A  Token  Ring  Timing  Channel 
from  two  different  levels.  This  is  illustrated  in  figure  1. 

In  such  a  scenario  there  exists  a  well-known  covert  A  token  ring  is  a  type  of  computer  network  orga- 

tirning  channel  from  L2  to  LI  [17,  25,  9].  We  also  note  nized  as  a  set  of  stations  arranged  in  a  ring  topology, 
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either  physically,  through  serial  connections  of  trans¬ 
mission  media  such  as  twisted  pairs  (e.g.,  the  IEEE 
802.5  Token  Ring  Local  Area  Network  standard  [27]) 
or  fiber  optic  links  (e.g.,  the  Fiber  Distributed  Data 
Interface  [5,  1,  11]),  or  logically  (e.g.,  the  IEEE  802.4 
Token  Bus  Local  Area  Network  standard  [29]).  Infor¬ 
mation  is  sequentially  transferred  from  station  to  sta¬ 
tion,  circulating  around  the  ring.  Each  station  on  the 
ring  has  a  unique  address,  and  each  information  packet 
transmitted  on  the  ring  contains  (among  many  other 
items)  a  destination  address,  a  source  address,  and  a 
special  bit  used  to  detect  when  a  packet  has  been  re¬ 
ceived.  If  a  station  wishing  to  transmit  data  has  access 
to  the  medium,  it  transfers  an  information  packet  onto 
the  ring,  where  the  packet  circulates  unidirectionally 
from  one  station  to  the  next.  Eventually,  the  destina¬ 
tion  station  copies  the  information  as  it  passes  by  on 
the  ring,  and  modifies  the  special  bit  to  serve  as  an 
ACK  to  the  source  station.  If  all  is  working  well,  the 
packet  eventually  is  received  by  the  originating  station 
and  is  removed  from  the  ring. 

A  station  gets  the  right  to  transmit  a  packet  on  the 
ring  when  it  detects  a  special  message  called  the  token 
passing  on  the  ring  medium.  The  token  is  a  symbol 
of  authority  passed  between  stations.  It  is  used  as  a 
method  for  enforcing  mutual  exclusion  among  stations 
contending  for  the  ring  transmission  medium  (only  one 
station  is  allowed  to  control  the  ring  at  any  given  time). 
A  station  wishing  to  transmit  a  packet  captures  the  to¬ 
ken  as  it  passes  by,  and  holds  it  until  it  is  finished  with 
its  transmission  (the  time  the  token  is  held  can  vary,  or 
can  be  isochronous  in  the  case  of  FDDI-II  [28]).  Gen¬ 
erally,  there  is  a  maximum  period  of  time  that  a  sta¬ 
tion  may  hold  the  token  (and  therefore  control  the  net¬ 
work).  Once  a  token  holding  station  is  finished  with  its 
transmissions,  it  releases  the  token  to  its  downstream 
neighbor.  General  token  ring  management  issues,  such 
as  initialization,  error  recovery,  etc.,  are  not  dealt  with 
in  this  paper,  but  are  available  in  the  references  noted 
above.  The  reader  who  is  not  familiar  with  token  ring 
networks  may  take  it  for  granted  that  mechanisms  ex¬ 
ists  for  error  recovery,  ring  initialization,  adding  and 
subtracting  stations,  and  so  forth. 

A  token  holding  station  wishing  to  transmit  in¬ 
formation  formats  a  packet  containing  (among  other 
things)  its  source  and  the  destination  address,  and 
transmits  the  packet  to  its  downstream  neighbor  sta¬ 
tion.  That  station,  via  a  hardware  mechanism  in  the 
network  interface,  examines  the  destination  address  in 
the  packet  header,  and  if  the  packet  is  not  destined 
for  that  station,  it  passes  the  packet  on  to  the  next 
station  in  the  ring.  If  a  station  finds  that  a  packet  is 
destined  for  itself,  it  receives  the  packet,  modifies  the 


special  bit  in  the  packet  signifying  that  it  received  the 
packet,  and  passes  the  packet  on  to  its  downstream 
neighbor  station.  Eventually,  the  packet  will  travel  to 
the  originating  station  (i.e. ,  the  station  holding  the  to¬ 
ken).  The  originating  station  then  examines  the  spe¬ 
cial  bit  to  verify  that  the  packet  was  received.  It  then 
passes  (releases)  the  token  on  to  the  next  station  in  the 
ring. 

Of  interest  to  us  is  an  MLS  token  ring  network.  This 
is  a  token  ring  network  where  each  station  has  a  level. 
Communication  between  stations  must  obey  the  Bell- 
LaPadula  (BLP)  principles  [2].  Such  a  token  ring  would 
allow  only  reception  of  packets  by  a  station  at  a  level 
that  dominates  the  level  of  the  transmitting  station.  Of 
course,  the  token  is  passed  independently  of  any  BLP 
considerations. 

Such  an  MLS  token  ring  network  (loosely  based  on 
the  IEEE  802.4  and  802.5  standards)  would  require 
hardware  not  needed  for  a  non-MLS  token  ring  net¬ 
work.  A  modification  to  the  hardware  would  be  needed 
so  that  all  packets  would  have  a  label  attached,  indicat¬ 
ing  their  Mandatory  Access  Control  (MAC)  level  (e.g., 
Low,  Medium,  High).  In  addition,  we  would  want  the 
hardware  to  enforce  our  MAC  BLP-like  policies,  so  that 
a  packet  sent  from  a  station  at  a  higher  level  could  not 
be  received  by  a  station  at  a  lower  level  (i.e.,  in  such 
a  case,  the  packet  would  be  sent  unread  to  the  down¬ 
stream  station).  This  could  be  easily  accomplished  by 
modifying  (if  necessary)  the  ring  physical  layer  inter¬ 
face  hardware  of  each  station  so  that  it  fails  to  rec¬ 
ognize  any  packets  that  have  been  transmitted  by  a 
station  at  a  level  higher  than  itself. 

A  covert  timing  channel  may  exist  in  such  an  MLS 
token  ring  network  when  there  are  exactly  three  sta¬ 
tions,  Si,  Sm,  and  Sh,  and  where  each  station  has  the 
respective  levels  of  Low,  Medium,  and  High  (see  figure 
4;  PHY  is  our  trusted  physical  layer  interface).  The 
actual  physical  location  of  the  stations  on  the  ring  is 
unimportant. 

Let  us  examine  our  hypothetical  MLS  Token  Ring 
network  with  three  stations,  each  with  a  unique  MAC 
level.  According  to  the  BLP  policy,  there  are  only  three 
allowable  transmissions:  Si  to  Sm,  Si  to  Sh,  and  Sm 
to  Sh  ■  Suppose  Sm  wishes  to  send  information  to  Si 
in  violation  of  the  ring’s  MLS  policy.  Further  suppose 
that  Sm  and  Si  are  acting  together  to  exploit  the  covert 
timing  channel  that  follows.  There  are  only  two  basic 
time  intervals  that  are  of  interest,  from  the  viewpoint 
of  Sm  and  S):  3 1  and  6 1. 

If  no  station  wishes  to  transmit  a  message,  then  the 
token  circulates  completely  around  the  ring  in  time  3 1, 
where  t  is  the  time  to  transmit  a  message  from  one 
station  to  another  (we  have  assumed  for  the  sake  of 
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simplicity  in  this  explanation  that  each  link  transmis¬ 
sion  takes  the  same  amount  of  time).  Explicitly,  if  the 
token  is  initially  held  by  Si,  it  takes  time  t  to  transmit 
the  token  to  Si's  downstream  neighbor  station,  it  takes 
time  t  for  Si's  downstream  neighbor  station  to  trans¬ 
mit  the  token  to  Si's  upstream  neighbor  station,  and  it 
takes  time  t  to  transmit  the  token  from  Si's  upstream 
neighbor  station  back  to  Si.  Therefore,  the  total  time 
for  this  event  is  3 1. 


Figure  4:  An  MLS  Token  Ring 
with  3  Levels  and  3  Stations 


If  any  station  (say  Si's  downstream  neighbor)  wishes 
to  transmit  a  message,  then  the  time  between  Si  ini¬ 
tially  passing  the  token,  and  then  next  receiving  it  is 
time  6 1.  In  other  words,  if  the  token  is  initially  held  by 
Si,  it  takes  time  t  to  transmit  the  token  to  Si's  down¬ 
stream  neighbor  station  (suppose  this  station  happens 
to  be  Sm  as  shown  in  figure  4).  Sm  then  captures  the 
token,  and  sends  a  message  (necessarily  destined  for  Sh 
in  this  ease)  to  its  downstream  neighbor  station,  Sh, 
taking  time  t.  Sh  then  receives  the  message,  modifies 
the  special  bit  indicating  that  it  received  the  message, 
and  transmits  the  message  to  its  downstream  station 
(Si),  taking  time  t.  Si' s  ring  interface  hardware  notices 
that  the  message  is  not  destined  for  Si,  so  it  passes  the 
message  back  to  Sm,  again  taking  time  t.  Sm  is  now 
finished  with  its  transmission,  so  it  passes  the  token  to 
its  downstream  neighbor  (Sh)  once  more  taking  time 
t.  Sh  has  nothing  to  send  to  anyone  (due  to  the  BLP 
policy)  so  it  transmits  the  token  back  to  Si  in  time  t. 
Therefore,  the  total  time  for  this  event  is  6 1. 

So  we  see  that  there  are  only  two  possible  output 
symbol  times  that  exist  (3 1  and  61).  We  believe  the 
two  output  symbol  times  can  be  exploited  by  a  covert 
timing  channel  which  we  now  describe. 

Suppose  that  Sm  wishes  to  send  information  to  Si 
in  violation  of  the  BLP  policy,  and  that  Sm  and  Si  are 
cooperating  (i.e. ,  they  are  using  the  following  protocol). 


Si  remains  completely  passive,  noting  only  when  it  has 
the  token  and  how  much  time  has  elapsed  since  it  last, 
held  the  token  (i.e.,  when  Si  transmits  the  token,  it 
starts  a  timer  used  to  note  how  much  time  has  elapsed 
until  it  next  receives  i  In  token).  These  times  will  be 
either  31  (i.e.,  no  transmissions  have  occurred),  or  6 1  (a 
transmission  has  occurred  from  Sm  to  Sh  —  the  only 
BLP  allowable  transmission  that  Si  does  not  initiate). 
If  Sm  wishes  to  send  Si  a  binary  zero,  then  when  it 
holds  the.  token  it  transmits  nothing  (i.e.,  it  just  passes 
the  token  on  to  its  downstream  neighbor)  and  when  Si 
next  holds  the  token  it  will  notice  that  only  time  31 
has  passed,  and  will  interpret  this  event  as  a  binary 
zero.  If  Sm  wishes  to  send  Si  a  binary  one,  then  when 
it  holds  the  token,  it  sends  a  message  to  Sh  (e.g.,  a 
simple  “ping”  would  suffice)  and  when  Si  next  holds 
the  token  it  will  notice  that  time  6 1  has  passed  and 
will  interpret  this  event  as  a  binary  one. 

Noise  (we  discount  thermal  noise  because  it  is  a  very 
unlikely  event  in  most  modern  ring  networks,  generally 
on  the  order  of  10-9  for  FDDI)  is  present  in  this  sys¬ 
tem  as  legitimate  messages.  This  is  because  legitimate 
messages  must  be  sent  at  some  point,  or  there  would 
be  no  reason  for  the  network  to  exist.  Of  the  3  allow¬ 
able  communications,  two  of  them  are  originated  by  Si 
which  obviously  is  aware  of  its  own  transmissions  and 
can  treat  these  events  as  a  temporary  suspension  of 
covert  channel  operations  (Sm  would  also  be  aware  of 
this  through  either  receiving  a  message  from  Si,  or  by 
inference).  Only  one  valid  transmission,  from  Sm  to  Sh 
could  introduce  noise  into  this  sysfern.  However,  the 
noise  introduced  takes  exactly  time  6 1,  the  same  time 
as  the  second  symbol.  Therefore,  we  are  dealing  with 
a  timed  Z-channel. 

The  situation  described  is  quite  possible.  In  any 
MLS  Token  Ring  network  that  has  three  or  more  sta¬ 
tions,  there  will,  at  some  point  in  the  life  of  the  net¬ 
work,  exist  a  three  station  configuration  (this  is  due 
to  the  method  for  generating  the  network  and  adding 
new  stations  —  the  interested  reader  is  referred  to  [29] 
and  [27]).  It  is  certainly  possible  that,  the  three  sta¬ 
tion  configuration  will  not.  contain  three  different,  lev¬ 
els.  However,  unless  this  can  be  ruled  out.,  a.  timed 
Z-channel  threat,  must,  be  taken  seriously.  In  addition, 
since  FDDI  and  FDDI-II  are  organized  as  token  rings, 
and  given  the  current,  popularity  of  them,  we  feel  it. 
likely  that  such  a.  scenario  may  occur.  This  is  espe¬ 
cially  so  in  the  isochronous  FDDI-II,  which  lends  itself 
to  real-time  applications.  Note  that  in  1977  Karger  [16, 
Ch.  11]  mentioned  that  covert,  channels  could  arise  by 
modulating  inter-packet,  transmission  times  in  generic 
distributed  systems. 
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2.3.  Discussion  about  the  Scenarios 

Note  that  we  have  restricted  ourselves  to  the  simpli¬ 
fied  case  of  only  two  output  symbols  in  the  presenta¬ 
tion  of  the  noisy  timing  channel  scenarios.  It  has  been 
shown  for  noiseless  timing  channels  [24]  that  introduc¬ 
ing  extra  symbols  can  greatly  increase  the  capacity. 
The  full  problem  requires  further  research,  since  we 
did  not  find  it  as  tractable  for  noisy  timing  channels. 

Also,  note  that  we  are  using  time  values  1 1  and  2t\, 
when  we  could  have  used  1 1  and  ti  +  e  where  t  need 
not  equal  t\.  The  capacity  analysis  we  do  in  this  paper 
is  the  more  general  case  where  the  two  time  values  are 
not  necessarily  multiples  of  one  another. 

Before  we  can  perform  an  analysis  of  channels  with 
more  than  two  output  symbols,  we  must  first,  under¬ 
stand  the  simpler  case  of  the  timed  Z-channel.  We 
hope  for  a  more  complete  analysis  in  the  future. 

3.  Mathematical  Background:  Golomb’s 
Z-channel 


p 


Figure  5.  The  Z-channel 


In  [6]  Golornb  succinctly  analyzed  the  mutual  infor¬ 
mation  and  channel  capacity  of  the  Z-channel  (see  fig¬ 
ure  5).  The  Z-channel1  is  a  discrete  memoryless  chan¬ 
nel  with  two  input  symbols.  One  symbol,  x3,  is  trans¬ 
mitted  without  noise  and  received  as  y3 ,  while  the  other 
input  symbol  aq  is  transmitted  with  noise  and  received 
as  either  t/i  or  y3.  We  let  u  represent  the  probability 
P(x i)  that  aq  is  the  input.  Therefore,  P(x2)  =  1  —  u. 
The  amount  of  noise  (constant  with  each  transmission) 
is  given  by  the  following  channel  matrix  (q  =  1  —  p), 
which  describes  the  conditional  probabilities. 

(  P(yi  I  *i)  P(y 2  \*i)  \  {  P  1  \ 

V  p(yi  I  x2)  P(y 2  \x2)  )  V  0  1  ) 

1We  use  a  channel  where  the  second  symbol  is  transmitted 
noiselessly.  The  standard  descriptions  of  the  Z-channel  have  the 
first  symbol  transmitted  noiselessly.  There  is  no  difference  other 
than  pictorially.  However,  our  reflected  picture  helps  with  the 
physical  intuition  of  the  timed  Z-channel  introduced  later. 


Let.  us  now  calculate  the  mutual  information  I  (in 
units  of  bits  per  symbol).  I  is  the  difference  in  en¬ 
tropies  H(Y)  —  H(Y  |  A').  The  output,  entropy  H(Y)  = 
H(  2/1, 2/2)1  where  we  are  using  the  shorthand  notation2 
of  Pl{a,  b)  =  —{a.  log  a.  +  b  log  b}.  We  condition  by 

P(yj)  =  P(Vj  I  x1)P(x1)  +  P(yj  |  x3)P(x3) 

to  facilitate  our  calculations.  Thus,  P(y\)  =  up  and 
P(y3)  =  1  —  up.  So,  H(Y)  =  H(up,  1  —  up)  .  The 
conditional  entropy  is 

H(Y  |  A)  = 

P(xi  )H(Y  |  Xl)  +  P(x3)H(Y  I  a2)  = 
P(xi)H(p ,  q)  +  P(x3)H( 0,  1)  =  uH(p,  q)  . 

Thus  we  see  that  [6,  Eq.  1] 

I  =  H(up ,  1  —  up)  —  uH(p ,  q)  . 

In  brief,  a.  timed  Z- channel  is  identical  to  Golomb’s 
Z-channel  except,  that  the  output,  symbol  y3  has  a. 
greater  transmission  time  than  t/i . 

Implicit,  in  our  discussions  of  Golomb’s  Z-channel 
is  that,  the  symbols  take  the  same  amount,  of  time  to 
be  transmitted.  The  time  that  the  symbols  take  to 
transmit,  is  not.  an  issue.  Therefore,  units  are  in  bits 
per  symbol  when  we  are  dealing  with  the  Z-channel. 
To  avoid  confusion,  I  (It)  will  be  mutual  information 
in  bits  per  symbol  (tick,  the  time  unit),  and  C  (C't) 
will  be  Capacity  in  bits  per  symbol  (tick).  In  general, 
for  discrete  memoryless  channels,  if  all  symbols  take 
the  same  time  t  t.o  be  transmitted,  we  have  7t  =  r_17 
and  Ct  =  t~1C.  However,  for  the  timed  Z-channel, 
transmission  times  of  the  two  symbols  are  different.,  so 
C't  is  not.  a.  multiple  of  C .  In  the  next,  section  we  analyze 
the  timed  Z-channel. 

4.  The  Timed  Z-channel 

We  see  from  our  above  discussions  that,  we  may  ab¬ 
stract.  our  covert,  timing  channel  scenarios  to  a.  memory¬ 
less  channel  with  two  input,  symbols  iq  and  x3.  Input, 
symbol  x3  is  transmitted  without,  noise  and  is  inter¬ 
preted  as  the  output,  symbol  y3,  taking  time  t3.  Input, 
symbol  aq  either  arrives  with  probability  p  taking  time 
t\  and  is  interpreted  as  the  output,  symbol  t/i,  or  it.  ar¬ 
rives  with  probability  q  =  1  —  p  taking  time  t3  and  is 
interpreted  as  the  output,  symbol  y3.  Note  the  output, 
symbols  are  distinguished  by  the  differing  time  values, 
whereas  in  the  Z-channel  it.  is  not.  the  1  i  1 1  n *  r- 1 1  a  1  distin¬ 
guishes  them,  but.  the  fact,  that,  tq  yt  y3.  We  will  use 

2  All  logarithms  are  base  2. 
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the  notation  “,Z(e  (-channel” ,  where  e  is  the  difference 
in  time  to  —t i  >  0,  for  the  timed  Z-channel  (see  figure 
6).  Of  course,  the  channel  matrix  of  the  Z(e  (-channel 
is  identical  to  that  of  the  Z-channel.  Therefore,  I  for 
the  Z(e  (-channel  is  thi,  same  as  I  for  the  Z-channel. 
Note  that  the  Z-channel  is  just  a  Z(0 (-channel. 


Let  T  represent  the  Bernoulli  random  variable  that 
describes  the  time  that  an  output  symbol  arrives.  The 
probability  P(T  =  tj),  or  written  more  simply  as  P(tj  ), 
is  the  probability  P(yj)  .  Hence,  the  expected  value 
(mean)  of  T  is  E(T)  =  ti(up)  +  0(1  —  up)-  Since 
e  =  t,2  —  t\  we  have 

E(T )  =  ti  +  e(l  -  up)  . 

We  see  that  if  the  channel  is  noiseless  that  E(T)\  0  = 

ti  +  e(l  —  u).  If  the  channel  is  totally  noisy  (useless) 
we  see  that  E(T)\q=1  =  tq  +  e. 

We  now  wish  to  analyze  the  mutual  information  in 
bits  per  tick,  It  =  E^T)  •  From  our  above  equations  we 
see  that 

H(up ,  1  —  up)  —  u.H (p,  q) 
t  tq+e(l-up) 

We  wish  to  calculate  the  capacity  in  units  of  bits  per 
tick,  Ct,  for  the  Z(e)-channel.  Verdu  [31]  has  shown 
that  Ct  =  max,,  It,  and  that  this  is  the  proper  measure 
of  maximal  asymptotically  error- free  information  flow. 
We  can  find  C't  by  setting  ^  =  0  and  solving  for  u. 
We  denote  the  value  of  u  that  maximizes  It  by  uc. 

(l  it  _ 
du. 


[ti  +  e(l-up)][pl°g(i7^£)--ff(P>S!)]  +  (p[H{uP,l-up)-uH(p,q)] 
hi  +  e(  1  -  up)]2 

Setting  the  derivative  to  zero  gives  us 


0  =  tip  log  ]  -  t1H(p,q)  +  tp  log 

V  up  /  V  up  / 

-tH(p,q)  -  cup2  log  (- - 

\  up  / 

+tupH  (p,  q)  —  tup2  log(  nft)  —  ejlfl  —  // /< )  log(  I  —  up)  —  tu,pH(p,q) 


which  simplifies  to 

(fl  +  H(p,  q )  =  ti  log(- - — )  +  clog  (- - — 

V  P  )  UP  \  UP  ) 

—  eup  log  ( - — )  —  tup  log  ( up )  —  e  log  ( 1  —  up  )+eup  log  ( 1  —  up ) 

up  ' 

which  further  reduces  to 

H(p,q)  =  filog(- - — )  -  clog (up)  . 

\  p  J  up 

This  simplifies  to 

log(l  -  up)tl(up)-{tl+€)  =  iog(/g«r(  — ) 

(1  — wp)*1  =  ilCqq)~^  v  )(«p)(tl  +  e) 

_  /  *l+e  \  <l+e 

1  —  up  =  (ppqq)  '  <1P  '(up)  fi  . 

Letting  k  =  (pqq^p)  ^  1  and  y-*1  =  up  we  have  the 
trinomial  equation 

l-[(«7r(tl+e)  +  7_tl]=0  (1) 

which  we  refer  to  as  the  characteristic  equation  of  the 
Z(e)-channel.  Eq.  (1)  gives  us  the  following  useful 
identities: 

(K7)“Ul+e)  -by-*1  =  1 

1  -  7_tl  =  (K7)“(tl+e)  . 

1 
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Figure  7.  pqq!p 

Since  the  term  pqqlp  is  so  important  we  will  include 
a  plot  of  it  (see  figure  7).  Keep  in  mind  that  pqq!p  is 
defined  by  its  limiting  values  of  0  and  1  at  p  =  0  and 
p  =  1,  respectively. 

Of  course,  the  variable  7  in  Eq.  (1)  is  functionally 
dependent  upon  p,  but  Eq.  (1)  is  very  appealing  be¬ 
cause  if  p  =  1,  Eq.  (1)  reduces  to 

1  -  [7"(tl+e)  +  7-*1]  =  0  (2) 
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and  uc  =  r i-tl,  where  ?q  is  the  unique  positive  root 
of  Eq.  (2).  This  is  of  interest  because  Shannon  has 
shown  that  C't  =  log?q,  [26,  24,  22]  (for  this  noiseless 
channel ) . 

Now  let  us  attempt  to  find  h-  general  closed  form  for 
the  capacity  of  the  Z(e)-channel.  Using  the  identity 
ucp  =  J’p-*1,  where  rp  is  the  positive  root  of  Eq.  (1) 
we  see  that 

H(ucp,  1  -  ucp)  =  H  (rp~t,  (urp)~itl  +  e]) 

=  -rp_tl  log  rp_tl  -  (/crp)-(tl  +  f)  log(h:rp)_(tl  +  f) 

=  tirp-*1  log  rp  +  ( #i  +  c){Krp)~Ul  +  €]  [log  rp  +  log  k] 

=  [ti  (rp_tl  +  (Krp)~{tl  +  e])  +  e(/crp)-(tl  +  f)]  log  rp 
+  (ti  +  ()(urp)~{tl  +  e]  log  u 

=  [ti  +  c(h:rp)_(tl  +  f)]  log  rp  +  ( +  e)(/crp)-(tl  +  f)  log  u  . 

Since  H(p,q)  =  —  log (jfqq)  we  see: 


u.cH(p,q) 


This  gives  us  H{  u.cp,  1 


=  -uc\og(p‘?qq) 

=  -ucp\og{pqqlp) 
=  —  Ucp  logK*1 

=  -fl«eplogK 
=  logK  . 

-  ucp)  -  ucH(p ,  q)  = 


[ti+e(Krp)  ( tl  +  f)]  log  rp 


+  (ti+c)(urp)  (tl  +  f)  log  u  +  trrp  fl  log  u 
=  [ti  +  e(/crp)-(tl  +  f)]  log  rp 
+  [ti  {rp~tl  +  (Krp)-{tl  +  e])  +  e(/crp)-(tl  +  f)]  log  k 
=  [ti  +  e(/crp)-(tl  +  f)]  (log  rp  +  log  k) 

=  [ti  +  e(/crp)-(tl  +  f)]  log  urp  . 

The  mean  time  to  receive  a  symbol,  with  respect  to 
the  maximizing  value  of  u  is 


E(T) \u=Uc  =t1+e(l-  ucp)  =  U  +  e(Krp)  {tl+€)  . 


Since  Ct  =  It(uc) 
see  that 


H(  u.cp,  1  -  u.cp)  -  u.cH(p,  q) 
E{T)\u=Uc 


we 


Theorem  1  and  Corollary  1  collapse  to  Shannon’s  result 
[26]  for  p  =  1.  Corollary  1  mimics  the  form  of  Shan¬ 
non’s  result  expressing  Ct  as  the  logarithm  of  a  zero  of 
a  polynomial.  However,  our  polynomial  does  not  have 
coefficients  all  1  as  Shannon’s.  Note  that  for  the  Z{ 0)- 
channel  our  result  gives  us  Ct  |e=o  =  -^-log(l  +pqq^p), 
which  can  be  easily  obtained  from  Golomb’s  paper. 
This  is  an  intriguing  generalization  of  Shannon’s  result 
on  capacity. 

We  also  note  that  our  results  turn  the  capacity  cal¬ 
culation  from  an  optimization  problem  into  a  much 
simpler  algebraic  problem.  The  algorithm  necessary 
to  calculate  the  capacity  is  nothing  more  than  a  simple 
root  finder. 

Let  us  see  what  else  we  can  glean  from  the  above 
results.  We  will  use  the  notation  C't(p)  for  the  ca¬ 
pacity  of  the  Z(e)-channel  with  noise  q  =  1  —  p  (for 
the  noiseless  case  the  capacity  is  then  Ct{  1))-  We  are 
interested  in  the  behavior  of  C't(p)  as  p  varies  from 
1  to  0  (i.e. ,  from  noiseless  to  useless)  for  G  and  e 
fixed.  By  Theorem  1  we  have  C't(p)  =  log  nrp  = 

log?’,,  +  logK.  Since  k  =  {pqq^p)  ^  1  we  see  that  we 

have  Ct(p)  =  log  rp  +  i2Si£i - !.  We  are  adding  a  nega¬ 

tive  (we  are  not  including  the  trivial  comparison  where 
p  =  1 )  term  to  log  rp .  We  will  use  this  expression 
to  bound  C't(p)  from  below.  Consider  the  equation 
1  —  [(K7)-(tl+f»  +  7-*1]  =  0  .  This  is  equivalent  to  the 
equation  jtl+€  =  K~{tl+€)  +  je . 


Figure  8.  Comparison  of  the  roots 


Theorem  1  C't  =  logK?’p,  where  rp  is  the  positive  root 
of  l-  [(K7)“(tl+e)  +  7-*1]  =  0  . 

By  changing  variables  in  Eq.  (1)  by  letting  w  =  kj, 
we  see  that  nrp  is  the  positive  root  of  1  —  [to-(tl+e)  + 
( pqqlp  )w-tl]  =  0  .  Therefore  we  have  the  following 
Corollary  to  Theorem  1. 


Therefore,  rp  is  the  value  of  7  where  the  plot  of  7*1+e 
intersects  the  plot  of  K_(tl+e)  +  je ,  and  jq  is  the  value 
of  7  where  the  plot  of  7*1+e  intersects  the  plot  of  1  +  je 
(see  figure  8).  Since  K_(tl+e)  >  1  we  see  that  rp  >  jq. 
Hence, 

log  ?q  <  log  rp 
log  ?q  +  log  k  <  log  rp  +  logn 

Ct(l)  +  logK  <  Ct(p)  ■ 


Corollary  1  C't  =  logxp,  where  xp  is  the  positive  root 
of  l-  [«-(tl+e)  +  (pqq^p)iirtl}  =  0. 
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Therefore  the  capacity  C't(p)  is  never  less  than  C/(  1)  + 
log k .  Since  C't(p)  <  C/(l)  we  have: 

Theorem  2  For  the  Z(e)- channel  the  capacity  C't(p) 
is  always  bounded  as 

nrax(0,  Cj(l)  +  log  k )  <  Ct{p)  <  Ct{  1)  • 

We  may  interpret  this  as  a  feasibility  region  where 
C't(p)  must  lie  (see  figure  9). 


Figure  9.  Illustration  of  Theorem  2  for  f i  =  e  =  1 


Note  that  if  we  used  Corollary  1  instead  of  Theorem 
1  we  would  only  obtain  the  known  and  obvious  bound 
that  Ct(p)  <  0(1). 

5.  Comments  on  the  very  noisy  Z(e)~ 
channel 

Majani  [18]  has  done  a  systematic  study  of  “very 
noisy”  channels  in  his  dissertation.  We  are  only  con¬ 
cerned  with  examining  the  Z(c (-channel  as  p  — *■  0+ 
(which  is  a  very  noisy  channel).  Golornb  looked  at  the 
Z-channel  under  the  same  behavior  and  noted  some  in¬ 
teresting  behavior.  We  will  show  that  the  Z(e (-channel 
behaves  similarly. 

Golornb  [6]  showed  that 

Theorem  3  (Golornb)  For  the  Z-channel, 

lim  uc  =  1/e. 

p— J-0+ 

This  result  is  remarkable  because  it  implies  that 
even  though  xi  is  received  more  and  more  often  as 
1/2 1  we  still  must  send  xi  a  large  amount  of  the  time 
to  achieve  capacity.  Further,  Golornb  showed  that  uc 


varies  only  from  1/2  to  1/e,  as  p  varies  from  1  to  0. 
This  is  of  interest  in  light  of  a  recent  result  of  Majani 
and  Rurnsey  (they  are  concerned  with  units  of  bits  per 
symbol,  not  time)  [18,  19]: 

Theorem  4  (Majani  &  Rurnsey) 

For  a  binary-input  discrete  memoryless  channel  with 
C  >  0,  C  is  achieved  when  the  the  probability  of  the 
first  symbol  being  input  is  in  the  interval  (1/e,  1  —  1/e). 

Of  course  then  the  probability  for  the  second  sym¬ 
bol  is  also  in  the  same  interval.  Therefore,  Golomb’s 
example  when  p  — *■  0+  represents  the  limiting  case  of 
Majani  and  Rurnsey ’s  result,  and  shows  that  Theorem 
4  is  the  best  possible  bound  for  uc  .  Majani  and  Rum- 
sey  have  noted  that  this  does  not  hold,  in  general,  for 
more  than  two  input  symbols.  Note  that  the  result 
does  not.  hold  for  timing  channels. 

Counter-Example:  Take  the  noiseless  ( q  =  0)  Z(e)~ 
channel  with  ti  =  1  and  e  =  29,  then  uc  ps  .919  > 
1-1/e  . 

Therefore,  Majani  and  Rurnsey ’s  result  will  not  hold 
for  timing  channels. 

Let  us  see  if  Golomb’s  result  generalizes  to  the  timed 
Z-channel  by  studying  the  Z(e)-channel  when  it  is  very 
noisy,  i.e. ,  p  — *■  0+.  As  we  remarked  above,  Golornb 
showed  for  the  Z-channel  that  uc  — *■  1/e.  Therefore, 
we  must  study  the  root  of  Eq.  (1)  when  p  =  0.  This 
is  a  little  tricky  because  both  k  and  7  are  functions  of 
p.  Recalling  that  j~fl  =  up,  so  j~€  =  ( up)€ !tl  we  may 
express  Eq.  (1)  as: 

up[(pqq/p)~1q~l£q)/ltlP)P~£/tlu£/tlp£/tl  +  1]  =  1  . 

Which,  by  letting  6  =  qq!p  simplifies  to 

p6u  +  (l/S)e/tlu1+£/tl  =6  .  (3) 

By  using  L’Hopital’s  rule  we  see  that  lim  lmS  =  — 1, 

p-i-0  + 

hence  6  — *■  e-1.  Hence  as  p  — *■  0+,  Eq.  (3)  collapses  to 

gf/tiyi  +  e/ti  _  e-l,  so  we  Jlave: 

Theorem  5  For  the  Z(e)-channel  lim  ur  =  e-1  . 

p-o+  ' 

We  find  this  result  to  be  of  great  mathematical  inter¬ 
est.  It  is  worth  noting  that  even  though  Majani  and 
Rurnsey ’s  result  on  uc  values  does  not  generalize  to 
the  timed  Z-channel,  Golomb’s  result  on  the  bound¬ 
ary  behavior  of  uc  does.  Theorem  5  might  be  of  use 
in  the  design  of  a  code  to  exploit  a  very  noisy  timed 
Z-channel. 

We  wonder  what  the  correct  generalization  of  Ma¬ 
jani  and  Rurnsey ’s  results  are  for  the  timed  Z-channel. 
Results  such  as  these  are  quite  useful  in  estimating  ca¬ 
pacity,  when  a  closed  form  might  be  difficult  to  derive. 
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6.  Conclusion 

We  examined  two  scenarios  where  the  timed  Z- 
channel  can  appear.  One  of  them  is  a  well-known  fam¬ 
ily  of  covert  channels  dating  back  to  work  on  the  CPU 
scheduling  channel.  The  other  scenario  is  interesting 
because  it  has  three  levels,  is  in  a  network  environ¬ 
ment,  and  is  previously  unknown.  We  view  these  sce¬ 
narios  as  a  serious  threat.  We  discussed  generalizations 
of  the  timed  Z-channel  and  mentioned  how  complicated 
the  mathematics  would  be  to  solve  for  their  capacity. 
In  addition  to  the  fact  that  the  timed  Z-channel  is 
present  in  real  scenarios,  it  is  also,  in  general,  a  good 
basis  for  an  analytical  study  of  noisy  timing  channels. 
We  gave  background  on  Golomb’s  classic  work  on  the 
Z-channel.  We  then  defined  the  timed  Z-channel  for¬ 
mally,  and  presented  new  results  on  its  capacity.  These 
results  showed  us  the  relationship  between  the  noise 
and  timing  factors.  The  results  also  gave  us  a  theorem 
bounding  the  capacity  in  terms  of  other  well-known  re¬ 
sults.  We  also  discovered  that  a  very  interesting  math¬ 
ematical  artifact,  the  limiting  behavior  of  the  critical 
probability  for  the  Z-channel,  generalizes  to  the  timed 
Z-channel. 

We  hope  that  our  results  will  be  of  use  to  the  de¬ 
signers  of  MLS  systems.  We  feel  that  describing  and 
thoroughly  analyzing  this  threat  is  the  first  step  in  its 
management.  We  also  feel  that  the  serious  threat  of 
our  timed  Z-channel  may  not  be  restricted  to  just  our 
example  scenarios.  In  future  work  we  plan  on  investi¬ 
gating  other  scenarios,  as  well  as  systems  having  output 
alphabets  with  more  than  two  timed  symbols. 
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